IT GENERAL CONTROLS What are IT General Controls?

5/11/2011 5 5 Areas for Review What about … • Rogue wireless access points Your network is OPEN! 5 Areas for Review • Acceptable Use • Information Sec...

15 downloads 738 Views 366KB Size
5/11/2011

What are IT General Controls? 5 Areas for Review Case Study

Ed Tobias, CISA, CIA, CFE May 11, 2011

What are IT General Controls (ITGC)?

What is a “control”? •Process developed by management •Provides reasonable assurance: •Operations – effective & efficient •Reliable financial reporting •Compliance – laws & regulations

What are IT General Controls (ITGC)?

What are IT General Controls (ITGC)? •Process developed by management •Provides reasonable assurance that: •Operations – effective & efficient •Reliable financial reporting •Compliance – laws & regulations

What are IT General Controls (ITGC)?

•Used to manage risks “control someone’s behavior” •Examples: •Policies & procedures •Approvals •Reconciliations •SoD (Segregation of Duties)

What are IT General Controls (ITGC)?

What’s the difference???

•Used to manage technology risks

1

AGENDA

IT GENERAL CONTROLS & THE PREVENTION OF FRAUD

5/11/2011

What are IT General Controls (ITGC)?

•ITGC affect everything based on technology • Passwords • Program Changes / System updates • Roles / SoD • Backups / Recovery • 3rd-party providers

What are IT General Controls (ITGC)?

3 main technology areas: 1. System (servers) 2. Network 3. Applications

What are IT General Controls (ITGC)?

•ITGC are part of the entire system of internal control

What are IT General Controls (ITGC)?

•ITGC provide assurance that information systems are working as intended •Rely on the information •Legal / regulatory compliance •Effective / efficient operations

What are IT General Controls (ITGC)?

What are IT General Controls (ITGC)?

Center for Internet Security •Applying ITGC consistently

Without effective ITGC, where is the fraud … • Financial statements schemes • Asset misappropriation schemes • Fraudulent disbursements • Theft of assets/inventory • Bribery / Conflicts of interest

•Protects against 85%+ of top vulnerabilities reported by: •NIST •FBI •SANS Institute •Computer Security Institute

2

5/11/2011

What are IT General Controls (ITGC)?

What are IT General Controls (ITGC)?

Without effective ITGC, where is the fraud … • Theft of Intellectual Property • Financial Institution Fraud • Check & Credit Card Fraud • Insurance Fraud • Health Care Fraud • Securities Fraud

Without effective ITGC, where is the fraud … • Consumer Fraud – Identity Theft • Computer / Internet Fraud • Public Sector Fraud

What are IT General Controls (ITGC)?

5 Areas for Review

Without effective ITGC, where is the fraud …

1. 2. 3. 4. 5.

Almost everywhere since we use technology • Store information • Make decisions

IT Entity-Level Change Management Information Security Backup and Recovery 3rd-party IT Providers

5 Areas for Review

5 Areas for Review

Normally done by IT Auditors • Technology skills/background • Can be performed by • Operational/financial auditors • IT Security / Compliance

Need to determine the “key information technology risks” • Framework (NIST, COBIT) • IT Management

3

5/11/2011

5 Areas for Review

5 Areas for Review

What 3-5 things keep them awake at night?

1. IT Entity-Level • Need to understand IT involvement Assess IT complexity

• • •

Low – COTS, 1 server, 1-15 users High – ERP and/or customized, 4+ servers, 30+ users

5 Areas for Review

5 Areas for Review

1. IT Entity-Level • Impact to the system?

1. IT Entity-Level • Policies & procedures • Acceptable Use • Found in Employee Manual



Mitigating controls?

5 Areas for Review

5 Areas for Review

What about … • USB Thumb Drives

What about … • Smartphones

Your data has legs!

4

Your data has legs!

5/11/2011

5 Areas for Review

5 Areas for Review

What about … • Rogue wireless access points Your network is OPEN!



Acceptable Use • Information Security responsibilities YOU are responsible for your company’s data!

5 Areas for Review

5 Areas for Review

1. IT Entity-Level • Annual Technology Plan • Annual Budget • Prioritization of IT projects

2. Change Management • All changes to system • Properly authorized • Securely implemented • SoD is important!

5 Areas for Review

5 Areas for Review

2. Change Management • Vendor does changes • Access always on? • Logging access times? • Review key reports before/after changes?

2. Change Management • Key Spreadsheets • Locked down? • Protected formulas? • Restricted access?

5

5/11/2011

5 Areas for Review

Impact of Spreadsheet Errors • Data entry error of $118,000 • $11M severance error • $30M spreadsheet error • $644M misstatement

5 Areas for Review

3. Information Security • Physical Security • Passwords • User IDs • Roles in the system • Administrators / Super Users • Logging • Encryption

Statistics from 2006 ACL White Paper – Spreadsheets

5 Areas for Review

5 Areas for Review

3. Information Security • Wireless Access

3. Information Security • Physical Security

5 Areas for Review

5 Areas for Review

3. Information Security • Password best practices (NIST) • Password length - 8 • Complex passwords – 2/4 • Upper / lower case • Numeric (0-9) • Special (!,@,#,$)

3. Information Security • Password best practices (NIST) • Password history – 90 days • Suspended after 3 tries • Change initial password • Password history – 8

6

5/11/2011

5 Areas for Review

5 Areas for Review

3. Information Security • Password best practices (NIST) • Mitigating controls • No dictionary words • Regular training / awareness

3. Information Security • User IDs • No sharing • No generic IDs (i.e. Clerk1) • No default IDs/passwords • CIRT.net – 444 vendors, 1800+ passwords

5 Areas for Review

5 Areas for Review

3. Information Security • Roles in the system • Simplify security administration • Regularly reviewed?

3. Information Security • Administrators / Super Users “Keys to the Kingdom”

5 Areas for Review

5 Areas for Review

3. Information Security • Administrators / Super Users • Limited number • Required for job duties • Audit trail / logging • Use only when necessary • Periodic review

3. Information Security • Logging • Slows down system • Critical changes/info • •

7

Protected from Admins Regularly reviewed

5/11/2011

5 Areas for Review

5 Areas for Review

3. Information Security • Encryption • Data at rest

3. Information Security • Encryption • Data in transit

WHY? • Hacked • Internal theft • Backups are compromised

WHY? • Packet sniffing - Wire theft • War driving

5 Areas for Review

5 Areas for Review

3. Information Security • Wireless Access • Wireless Access Policy • Encryption • MAC Address filtering

4. Backup and Recovery • Encrypted? • Limited access

5 Areas for Review

5 Areas for Review

5. 3rd-party IT Providers

5. 3rd-party IT Providers • Outsource anything • Servers (Data Center) • Virtual Servers on demand • Applications • Virus scanning

“Data in the Cloud”

8

5/11/2011

5 Areas for Review

5 Areas for Review

5. 3rd-party IT Providers • SAS70 • Replaced by SSAE16 Type 2 • Effective June 15, 2011 • Financial Reporting

5. 3rd-party IT Providers • SOC 2 • Security • Availability • Processing integrity • Confidentiality • Privacy • Risk-based control framework

Case Study

Case Study

Profiled in Nov/Dec 2010 and Jan/Feb 2011 issues Fraud mag.







Deputy treasurer/controller issued $236,000 in checks through authorized maker scheme Detected through manual reconciliation & computer exception report

Case Study

• • •

$7,148 check cleared the bank but not an outstanding check Uncashed check of $7,148 to a vendor was found in his office Clerk noticed missing exception reports Looked at IT system changes for days w/missing reports

Case Study

Staff cuts left him as the authorized person for changes • IT discovered 2 inactive, unauthorized program changes • $215,846 • $13,930 •

What went wrong?

9

5/11/2011

Case Study

• • •

Weak IT Entity-Level controls Improper SoD Poor change management



Weak controls in payment dept

Questions

Contact Information

[email protected] http://www.linkedin.com/in/ed3200

10